This Central Register Law is part of a legislative package (although the legislator has opted for two separate laws), including the law of 25 March 2020 amending the law of 12 November 2004 on the fight against money laundering and terrorism financing, as amended (the “2004 Law”) (additional information on such law may be found at the following link).
The Central Register Law aims at implementing certain provisions of EU Directive 2018/8431 (the “5th AML Directive”) by establishing a Luxembourg central electronic data retrieval system, which enables the identification in a timely manner, of any natural or legal person holding or controlling payment accounts, bank accounts identified by an IBAN2, and safe-deposits boxes in Luxembourg (the “Central Register”).
In this context, the Central Register Law sets out a two-tier system, comprising a new obligation imposed on credit institution, Luxembourg branches of credit institutions, and/or any person established in Luxembourg, including Luxembourg branches, holding payment or bank accounts identified by an IBAN number and/or safe-deposit boxes (the “Obliged Entities”) to set up an internal file containing a series of information on the holders of bank and payment accounts and safe-deposit boxes held in their books (the “Internal Files”) (1) and the setting up and management of the Central Register by the Luxembourg Commission de Surveillance du Secteur Financier, the CSSF (2).
1.The requirement for Obliged Entities to set up an Internal File
As stated above, the Central Register Law provides for the obligation for Obliged Entities to set up an Internal File containing a series of information on the holders of bank, payment accounts and safe-deposit boxes held in their books.
1.1.Which data should be included in the Internal Files?
In relation to bank and payment accounts, the Internal File must contain the following information:
This information must be up-to-date, accurate and adequate and kept for the same retention periods as those provided for under the 2004 Law (i.e. 5 years without prejudice to any longer retention period). The Central Register Law provides that the CSSF will define the format which the Internal File must take. 1.2.Access to the internal data files and outsourcing of certain obligations
Obliged entities must ensure an electronic access to the information kept in the Internal File to the benefit of the CSSF. Obliged Entities are also required to ensure the confidentiality of the access by the CSSF to the Internal File.
1.3.Reliance on third parties
The Central Register Law provides that Obliged Entities may rely on third parties on the basis of a services agreement for the execution of certain of their obligations which must comply with i.a. provisions relating to professional secrecy.
1.4.Sanctions for non-compliance
The Central Register Law provides that the CSSF may sanction Obliged Entities which do not comply with the above obligations, by i.a. an administrative fine of an amount between EUR 1.250 and EUR 1.250.000. Except where this would not be proportionate in view of the circumstances or would compromise the stability of financial markets, such sanction shall be published on the website of the CSSF.
2.Creation of a central electronic data retrieval system by the CSSF
The CSSF shall set up and manage a Central Register containing the information from the Internal Files.
The CSSF can access directly, immediately and without any restriction filter the data contained in the Internal Files, by means of a secure procedure. This information may only be accessed by designated personnel at the level of the CSSF.
In addition, designated personnel at the level of the Luxembourg financial intelligence unit, the Cellule de Renseignements Financiers (the “CRF”) will also have direct, immediate and unfiltered access to the Central Register set-up by the CSSF, as part of its ongoing duties.
Finally, other national authorities and self-regulatory bodies listed in the Central Register Law (including for instance the Luxembourg public prosecutor’s office, police agents, the investigating magistrate, the Commissariat aux Assurances, the tax administration, the Administration de l’Enregistrement, des domains et de la TVA, the Luxembourg secret services) may upon request to the CSSF, receive access to the information contained in the Central Register, by providing the CSSF with a list of a limited number of authorized personnel to that end. Competent authorities shall also ensure that such personnel follow adequate trainings.
1. EU Directive 2018/843 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing
2. As defined by regulation (EU) No 260/2012 of the European Parliament and of the Council.